WoSign and StartCom: next steps

3888 views
Skip to first unread message

Gervase Markham

unread,
Sep 29, 2016, 11:41:12 AM9/29/16
to mozilla-dev-s...@lists.mozilla.org
Hi everyone,

Following the publication of the recent investigative report,
representatives of Qihoo 360 and StartCom have requested a face-to-face
meeting with Mozilla. We have accepted, and that meeting will take place
next Tuesday in London.

After that, we expect to see a public response and proposal for
remediation from them, which will be discussed here before Mozilla makes
a final decision on the action we will take.

Gerv

Han Yuwei

unread,
Sep 29, 2016, 1:12:37 PM9/29/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年9月29日星期四 UTC+8下午11:41:12,Gervase Markham写道:
Could you disclosure what would you talk about or would be determined on the meeting? And would there be a video or transcript about your meeting?
Message has been deleted

Peter Kurrasch

unread,
Sep 29, 2016, 10:04:05 PM9/29/16
to mozilla-dev-s...@lists.mozilla.org
So if WoSign will not be present to discuss possible sanctions against WoSign, what are we to infer from that? Is Qihoo 360 acting in a capacity that is more than just an investor in WoSign? 

I'm trying not to get too far ahead of things, but this seems to be a very curious turn of events.


  Original Message  
From: Gervase Markham
Sent: Thursday, September 29, 2016 10:41 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: WoSign and StartCom: next steps

Hi everyone,

Following the publication of the recent investigative report,
representatives of Qihoo 360 and StartCom have requested a face-to-face
meeting with Mozilla. We have accepted, and that meeting will take place
next Tuesday in London.

After that, we expect to see a public response and proposal for
remediation from them, which will be discussed here before Mozilla makes
a final decision on the action we will take.

Gerv
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Vincent Lynch

unread,
Sep 29, 2016, 10:07:45 PM9/29/16
to Peter Kurrasch, mozilla-dev-s...@lists.mozilla.org
Hi Peter,

If you look in the original thread on M.S.D.P you will see that Qihoo made
a statement that they owned a majority share in WoSign. Im sure that
Mozilla has ensured Qihoo has the proper authority and permission to speak
on behalf of WoSign.

-Vincent
--
Vincent Lynch

谭晓生

unread,
Sep 29, 2016, 10:14:56 PM9/29/16
to Peter Kurrasch, mozilla-dev-s...@lists.mozilla.org
So far 360 is just an investor of Wosign, but we think we need to do something because of what happened.
I’d like to have suggestions from Gev to see if Richard Wang to join the meeting is a better proposal.

Thanks,
Xiaosheng Tan


在 16/9/30 上午10:03,“dev-security-policy 代表 Peter Kurrasch”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 fhw...@gmail.com> 写入:

Gervase Markham

unread,
Sep 30, 2016, 7:18:52 AM9/30/16
to 谭晓生, Peter Kurrasch
On 30/09/16 03:14, 谭晓生 wrote:
> So far 360 is just an investor of Wosign, but we think we need to do something because of what happened.
> I’d like to have suggestions from Gev to see if Richard Wang to join the meeting is a better proposal.

Hi Xiaosheng,

I think it is a decision for Qihoo 360, WoSign and StartCom together to
decide who represents them. I'm confident that the three companies will
send representatives to the meeting who have the authority to discuss
and then publicly propose a remediation plan that we can consider, and
ensure that whatever is agreed is carried out.

Gerv

Gervase Markham

unread,
Sep 30, 2016, 7:24:25 AM9/30/16
to Han Yuwei
On 29/09/16 18:12, Han Yuwei wrote:
> Could you disclosure what would you talk about or would be determined
> on the meeting? And would there be a video or transcript about your
> meeting?

We don't plan to make a video or release a transcript, but Mozilla will
also not be finalising any plans for action at the meeting either. From
our perspective, the aim is to discuss whatever plans
Qihoo/StartCom/WoSign have to improve the situation and help them
understand what is most likely to be acceptable to us and to the community.

Then they will go away and, hopefully fairly soon afterwards, make a
public proposal for what they are going to do. That will be discussed
here, and after the discussion, the Mozilla module owner (who takes the
final decision) will decide whether we will continue to execute our
proposed plan exactly as it stands, or modify it in the light of any new
information or undertakings provided.

Gerv

Hanno Böck

unread,
Sep 30, 2016, 7:45:54 AM9/30/16
to dev-secur...@lists.mozilla.org
Hi,

I just want to throw out some thoughts and I hope the people involved
find it noteworthy. Please note that I am in no way in a position to
decide anything here, I'm just someone who happens to have an opinion
on the stuff going on.

This seems to be some last minute attempt to rescue wosign/startcom as
a CA. Despite all the stuff that happend I kinda sympathize with it,
for two reasons:
* I think wosign and startcom did a lot of good for the web by providing
free certificate options and I think it'd be problematic to have a
Let's Encrypt monopoly for free certificates.
* I fear that if wosign gets removed that this might lead to a further
separation of the chinese web. I don't want to see a situation where
chinese webpages use a chinese certificate that the browsers from the
rest of the world don't accept. I don't think this is in anyone's
interest, as it would harm the Internet as a whole.

I guess the community could agree to let wosign stay in the browsers,
but it must be clear that there is a sincere will to handle things
differently in the future. My advice to the representatives of
wosign/startcom/quihoo would be to be as transparent as possible.
I think the major reason people find this mozilla research so damning
is because it looks a lot like you were trying to hide things. This was
further fuelled by multiple statements in the form "we don't have to
talk about this".
If you want to regain trust from the community you'll have to talk
about it. This isn't about any legal requirements, it's about trust
from the community. Be open about who owns which company, who's in
charge and also tell us exactly why these things happened in the past
and how you want to prevent them from happening again.


Minor sidenote: there have been some concerns about TLS security
vulnerabilities of the qihoo 360 browser [1] [2]. While this is not
directly related to the operation of a CA, it surely would increase the
community's trust of qihoo 360 if these issues get resolved quickly.


[1] https://cabforum.org/pipermail/public/2015-April/005441.html
[2] https://twitter.com/ryancdotorg/status/780470538686697472

--
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Florian Weimer

unread,
Sep 30, 2016, 8:41:37 AM9/30/16
to Hanno Böck, dev-secur...@lists.mozilla.org
* Hanno Böck:

> Minor sidenote: there have been some concerns about TLS security
> vulnerabilities of the qihoo 360 browser [1] [2]. While this is not
> directly related to the operation of a CA, it surely would increase the
> community's trust of qihoo 360 if these issues get resolved quickly.
>
>
> [1] https://cabforum.org/pipermail/public/2015-April/005441.html
> [2] https://twitter.com/ryancdotorg/status/780470538686697472

It is certainly possible to implement access to servers using
untrusted X.509 certificates in such a way that security is
compromised only after further user action (e.g. supplying login
credentials, despite the browser warning). A reasonable approximation
of such a secure implementation is to visit the site with a fresh
Firefox profile, and override the certificate warning.

More care is needed to check the origin of the cookie which, according
to Tom Ritter's post, the browser transmitted without further user
interaction. It might be the case that the cookie is not marked as
secure (restricting it to HTTPS), or it may have been created as a
secure cookie over an untrusted HTTPS connection.

Gervase Markham

unread,
Oct 3, 2016, 4:41:50 AM10/3/16
to Han Yuwei
On 30/09/16 12:23, Gervase Markham wrote:
> We don't plan to make a video or release a transcript, but Mozilla will
> also not be finalising any plans for action at the meeting either. From
> our perspective, the aim is to discuss whatever plans
> Qihoo/StartCom/WoSign have to improve the situation and help them
> understand what is most likely to be acceptable to us and to the community.

It is probably also useful to point out that Mozilla can have such
discussions only on our own behalf; we do not speak for or coordinate
decisions with the other root programs, who may decide to take action or
impose requirements different from that Mozilla decides to take or impose.

Gerv

Gervase Markham

unread,
Oct 4, 2016, 12:25:16 PM10/4/16
to mozilla-dev-s...@lists.mozilla.org
On 29/09/16 16:40, Gervase Markham wrote:
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday in London.

This meeting happened today; thank you to representatives of Qihoo 360,
StartCom and WoSign who travelled great distances to come. I'm happy
that Mozilla was able to successfully communicate what we hoped to see
from these companies, and expect to see a proposed plan from them very
shortly.

Once that plan is published, we will be able to discuss whether the
steps contained in it should lead to Mozilla changing our proposal for
the measures we intend to take.

Gerv

Ryan Sleevi

unread,
Oct 6, 2016, 3:38:27 PM10/6/16
to mozilla-dev-s...@lists.mozilla.org
Hi Gerv,

Do you have any further updates regarding this plan? This seems to have stalled any further discussions about next steps.

Best,
Ryan

Gervase Markham

unread,
Oct 7, 2016, 5:39:22 AM10/7/16
to Ryan Sleevi, 蔡欣华, 谭晓生, Inigo Barreira
On 06/10/16 20:38, Ryan Sleevi wrote:
> Do you have any further updates regarding this plan? This seems to
> have stalled any further discussions about next steps.

I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear in a few
days, which I mentally interpreted as "by the end of the week". Today is
Friday, so there is still time for my vague expectations to be met :-)

I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
can give a status update and an estimated time of publication?

Gerv

Richard Wang

unread,
Oct 7, 2016, 6:45:02 AM10/7/16
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
Hi Gerv,

This is the updated incident report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf .


Thanks.


Regards,

Richard

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Gervase Markham
Sent: Wednesday, October 5, 2016 12:25 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: WoSign and StartCom: next steps

On 29/09/16 16:40, Gervase Markham wrote:
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a
> face-to-face meeting with Mozilla. We have accepted, and that meeting
> will take place next Tuesday in London.

This meeting happened today; thank you to representatives of Qihoo 360, StartCom and WoSign who travelled great distances to come. I'm happy that Mozilla was able to successfully communicate what we hoped to see from these companies, and expect to see a proposed plan from them very shortly.

Once that plan is published, we will be able to discuss whether the steps contained in it should lead to Mozilla changing our proposal for the measures we intend to take.

Gerv

Eddy Nigg

unread,
Oct 9, 2016, 7:10:41 AM10/9/16
to mozilla-dev-s...@lists.mozilla.org
On 10/07/2016 12:38 PM, Gervase Markham wrote:
> I am a little surprised it hasn't appeared by now. We did not agree a
> specific deadline, but my impression was that it would appear in a few
> days, which I mentally interpreted as "by the end of the week". Today is
> Friday, so there is still time for my vague expectations to be met :-)
>
> I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
> can give a status update and an estimated time of publication?

Hi Gerv,

I'm sorry for the somewhat late reply due to holidays/weekends and
flight connections of the participants of the meeting. First thanks for
hosting the meeting and I'm sorry that I personally couldn't attend.

WoSign already provided its incident report which includes basically
most information regarding the various issues and failures. There were
parts of the proposed steps mentioned already, hereby I'm trying to
summarize it. Next week we'll add sub sections and dates to it:


1) Legal Structure - Separation of StartCom and Wosign's legal
structure - StartCom reports directly to Qihoo 360.

2) Management / Board - Mr. Tan is appointed Chairman of StartCom,
Inigo Barreira appointed CEO/Director of StartCom.

3) Team / Operations - Tan and Inigo work to separate StartCom and
Wosign verification, development and management teams. Basically any
previously shared functions (where they existed) will be separated.

4) System / Software - Any shared infrastructure will be separated
from WoSign, current code base will be reviewed by Qihoo 360 and audited
internally. StartCom makes the systems available for an external
security audit as necessary.

5) All certificates past, present and future will be logged with CT
compliant log servers.

6) Public Documentation - StartCom will present its near-term plan
and update as it progresses.


Item 6 is currently the outlined steps above, plus most specifications,
sub steps, specific dates in particular for items 3 and 4. I assume that
steps and promises StartCom commits to will be audible and/or easy to be
confirmed.

I assume that Inigo will report to the mailing list sometimes directly
too in order to update on the progress.

--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: star...@startcom.org <xmpp:star...@startcom.org>

Reply all
Reply to author
Forward
0 new messages